This article covers setting up both SAML-based single sign-on and SCIM-based user and group provisioning.
SAML Single Sign-On (SSO) and SCIM user provisioning are offered with select plans. Visit our pricing page for details.
Setting up SAML-based single sign-on (SSO)
SAML-based single sign-on (SSO) gives members access to Fulcrum through an identity provider (IdP) of your choice.
Each organization in Fulcrum can configure its own SAML-based SSO settings, including a unique Entity ID and SAML parameters, ensuring secure and seamless authentication for its users.
Fulcrum’s SSO can be used with any directory management system that supports the SAML standard; we’ve also published apps with two of the most popular identity management platforms: Okta and Microsoft’s Entra ID (formerly Azure Active Directory) service. Each platform provides preconfigured apps that simplify provisioning within your directory.
Our SSO integration isn’t limited to these platforms, however. Other SAML-based systems that work with Fulcrum include Auth0, G Suite, Bitium, Microsoft ADFS, OneLogin, Centrify, and more.
However, in multi-organization scenarios, users associated with multiple organizations may face authentication conflicts due to differing SAML configurations. To avoid such issues, ensure that user accounts are associated with only one organization.
What to Expect after Enabling SSO
Fulcrum supports a mixed environment of both managed (SSO) and unmanaged (Standard Fulcrum login) users.
Existing unmanaged members can be migrated to managed members if they are not members of any other Fulcrum Organizations.
SSO managed members can have the same email as existing Fulcrum system (unmanaged) members.
Only members with an Owner system role can add unmanaged members once SSO has been enabled.
Users associated with multiple organizations may encounter authentication conflicts. To resolve this, ensure the user account is linked to only one organization.
If you need to migrate existing users to SSO, please contact Fulcrum Support ([email protected]) to coordinate that process.
Step 1: Configure your Identity Provider
To set up SSO for your Fulcrum organization, you'll need to create a connection between Fulcrum and your IdP. Fulcrum SSO can be configured to use any IdP that supports the SAML 2.0 specification.
Fulcrum supports Service Provider (SP) and Identity Provider (IdP) Initiated SSO.
Fulcrum supports Just In Time (JIT) user provisioning.
Fulcrum expects the following attributes in the SAML response:
first_name,last_name,email. Theroleattribute is optional and will default to Fulcrum's default role if omitted.
Step 2: Exchange Metadata
Once your IdP is configured, send your SAML metadata to Fulcrum Support ([email protected]). We will establish a domain for your organization, ingest your metadata and provide the appropriate metadata for your IdP.
Remote System Parameters
SAML Endpoint URL (Identity Provider URL)
SAML Identity Provider Issuer (also called IdP Entity ID) (Optional)
SAML Public X.509 Certificate
Fulcrum Parameters
SAML Entity ID (Issuer)
SAML Single Sign On URL (Assertion Consumer Service URL) (ACS URL)
SAML Sign on URL (Shareable URL to Sign in to Fulcrum)
Step 3: Authenticate via SSO
Once SSO has been configured, you can authenticate to Fulcrum via your IdP on both the web and mobile apps. We can also optionally set a SAML timeout value to force authentication at a preset interval.
If authentication issues arise, verify that the SAML settings and Entity ID are correctly configured for the organization. Additionally, ensure users are assigned to the correct SAML application in the identity provider.
Note:
Be sure to review your Role settings to ensure the Default role is set as you expect before adding your SSO users.
In multi-organization scenarios, ensure that the Default role is consistent across all organizations to prevent role assignment conflicts.
When converting an unmanaged user to a managed user, users logged into the mobile app will be forced to re-authenticate when they next sync the app. The user will no longer be able to sign in using a password, and is signed out and will need to re-authenticate via SSO.
An organization can consist entirely of SSO managed members. Organizations must have at least one member and at least one Owner role.
Fulcrum requires the nameid and the email list in the IdP to match.
Related Articles:
Configure Fulcrum for Single sign-on with Microsoft Entra ID
Configure Fulcrum for Single sign-on with Okta
Advanced Scenarios and Troubleshooting
Guidelines for Multi-Organization SSO Configuration
Use a single identity provider (e.g., Microsoft Entra, Okta) for managing user authentication.
Create separate SAML applications for each Fulcrum organization requiring SSO.
Ensure each organization has unique SAML settings and Entity ID.
Test configurations for each organization to verify functionality.
Example: Setting Up SSO in Microsoft Entra (Azure AD)
Use a single Microsoft Entra tenant for identity management.
Create separate SAML applications for each Fulcrum organization.
Configure each application with unique SAML settings and Entity ID provided by Fulcrum.
Assign users to the appropriate SAML application based on their organization.
Troubleshooting Common SSO Issues
Authentication Conflicts: Ensure user accounts are associated with only one organization.
Configuration Errors: Double-check SAML settings and Entity ID for each organization.
Access Issues: Verify users are assigned to the correct SAML application in the identity provider.
Setting up SCIM-based user and group provisioning
Fulcrum supports user and group provisioning with the System for Cross-domain Identity Management (SCIM) standard.
SCIM-based provisioning allows you to:
Provision and deprovision Fulcrum users and groups efficiently through your identity provider (IdP).
Push Groups - Groups in your idP can be assigned to the Fulcrum application. The users in those groups will automatically be created and added as members to your Fulcrum organization. In addition, the groups themselves may be created in Fulcrum as Fulcrum groups.
Map Roles - When app roles are set up and assigned to users or groups in your idP, Fulcrum members will automatically be assigned the corresponding Fulcrum role.
Value SCIM-based provisioning provides:
Automate and simplify onboarding and offboarding new Fulcrum users
Security - deprovision users automatically when they leave your organization
Step 1: Get the API Token
In Fulcrum, generate and copy the API token.
Step 2: Enter the API Token in your identity management platform
Go to your identity management platform, such as Okta or Microsoft Entra ID (formerly Azure Active Directory, and use the token generated in Step 1 as your authorization header.
Related Articles:
Note: Fulcrum SCIM integration with Entra ID (formerly Azure Active Directory) is currently under review with Microsoft and you will not see it on the Entra ID site yet. SCIM-based user provisioning can currently be manually configured to work between Entra ID and Fulcrum.
Step 3: Set a default member for record reassignment (optional)
Within Fulcrum's Organizational Profile Settings, set a default record reassignee. This ensures that when members are removed via SCIM deprovisioning or the API, their assigned records are automatically reassigned to the designated user.
Note:
The API tokens are bound to the user that created them. If the user or API key needs to be removed, the user provisioning SCIM integration needs to be updated.